Removed TLSv1 and TLSv1.1 from default ssl_protocols and friends.

Author: pluknet

xml/en/docs/http/configuring_https_servers.xml

@@ -8,7 +8,7 @@
 <article name="Configuring HTTPS servers"
          link="/en/docs/http/configuring_https_servers.html"
          lang="en"
-         rev="14"
+         rev="15"
          author="Igor Sysoev"
          editor="Brian Mercer">
 
@@ -31,7 +31,7 @@ server {
     server_name         www.example.com;
     ssl_certificate     <b>www.example.com.crt</b>;
     ssl_certificate_key <b>www.example.com.key</b>;
-    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+    ssl_protocols       TLSv1.2 TLSv1.3;
     ssl_ciphers         HIGH:!aNULL:!MD5;
     ...
 }
@@ -59,7 +59,7 @@ The directives <link doc="ngx_http_ssl_module.xml" id="ssl_protocols"/> and
 can be used to limit connections
 to include only the strong versions and ciphers of SSL/TLS.
 By default nginx uses
-“<literal>ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</literal>”
+“<literal>ssl_protocols TLSv1.2 TLSv1.3</literal>”
 and “<literal>ssl_ciphers HIGH:!aNULL:!MD5</literal>”,
 so configuring them explicitly is generally not needed.
 Note that default values of these directives were
@@ -110,7 +110,7 @@ http {
 
         ssl_certificate     www.example.com.crt;
         ssl_certificate_key www.example.com.key;
-        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+        ssl_protocols       TLSv1.2 TLSv1.3;
         ssl_ciphers         HIGH:!aNULL:!MD5;
         ...
 </programlisting>
@@ -445,6 +445,13 @@ The shared SSL session cache has been supported since 0.5.6.
 <para>
 <list type="bullet">
 
+<listitem>
+Version 1.27.3 and later: the default SSL protocols are
+TLSv1.2 and TLSv1.3 (if supported by the OpenSSL library).
+Otherwise, when OpenSSL 1.0.0 or older is used,
+the default SSL protocols are TLSv1 and TLSv1.1.
+</listitem>
+
 <listitem>
 Version 1.23.4 and later: the default SSL protocols are TLSv1,
 TLSv1.1, TLSv1.2, and TLSv1.3 (if supported by the OpenSSL library).

xml/en/docs/http/ngx_http_grpc_module.xml

@@ -10,7 +10,7 @@
 <module name="Module ngx_http_grpc_module"
         link="/en/docs/http/ngx_http_grpc_module.html"
         lang="en"
-        rev="10">
+        rev="11">
 
 <section id="summary">
 
@@ -661,7 +661,7 @@ Passphrases are tried in turn when loading the key.
     [<literal>TLSv1.1</literal>]
     [<literal>TLSv1.2</literal>]
     [<literal>TLSv1.3</literal>]</syntax>
-<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default>
+<default>TLSv1.2 TLSv1.3</default>
 <context>http</context>
 <context>server</context>
 <context>location</context>

xml/en/docs/http/ngx_http_proxy_module.xml

@@ -10,7 +10,7 @@
 <module name="Module ngx_http_proxy_module"
         link="/en/docs/http/ngx_http_proxy_module.html"
         lang="en"
-        rev="78">
+        rev="79">
 
 <section id="summary">
 
@@ -2156,7 +2156,7 @@ Passphrases are tried in turn when loading the key.
     [<literal>TLSv1.1</literal>]
     [<literal>TLSv1.2</literal>]
     [<literal>TLSv1.3</literal>]</syntax>
-<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default>
+<default>TLSv1.2 TLSv1.3</default>
 <context>http</context>
 <context>server</context>
 <context>location</context>

xml/en/docs/http/ngx_http_ssl_module.xml

@@ -10,7 +10,7 @@
 <module name="Module ngx_http_ssl_module"
         link="/en/docs/http/ngx_http_ssl_module.html"
         lang="en"
-        rev="63">
+        rev="64">
 
 <section id="summary">
 
@@ -76,7 +76,7 @@ http {
         listen              443 ssl;
         <emphasis>keepalive_timeout   70;</emphasis>
 
-        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+        ssl_protocols       TLSv1.2 TLSv1.3;
         ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
         ssl_certificate     /usr/local/nginx/conf/cert.pem;
         ssl_certificate_key /usr/local/nginx/conf/cert.key;
@@ -621,7 +621,7 @@ ciphers when using the SSLv3 and TLS protocols.
     [<literal>TLSv1.1</literal>]
     [<literal>TLSv1.2</literal>]
     [<literal>TLSv1.3</literal>]</syntax>
-<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default>
+<default>TLSv1.2 TLSv1.3</default>
 <context>http</context>
 <context>server</context>
 

xml/en/docs/http/ngx_http_uwsgi_module.xml

@@ -10,7 +10,7 @@
 <module name="Module ngx_http_uwsgi_module"
         link="/en/docs/http/ngx_http_uwsgi_module.html"
         lang="en"
-        rev="51">
+        rev="52">
 
 <section id="summary">
 
@@ -1573,7 +1573,7 @@ Passphrases are tried in turn when loading the key.
     [<literal>TLSv1.1</literal>]
     [<literal>TLSv1.2</literal>]
     [<literal>TLSv1.3</literal>]</syntax>
-<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default>
+<default>TLSv1.2 TLSv1.3</default>
 <context>http</context>
 <context>server</context>
 <context>location</context>

xml/en/docs/mail/ngx_mail_ssl_module.xml

@@ -10,7 +10,7 @@
 <module name="Module ngx_mail_ssl_module"
         link="/en/docs/mail/ngx_mail_ssl_module.html"
         lang="en"
-        rev="28">
+        rev="29">
 
 <section id="summary">
 
@@ -69,7 +69,7 @@ mail {
     server {
         listen              993 ssl;
 
-        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+        ssl_protocols       TLSv1.2 TLSv1.3;
         ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
         ssl_certificate     /usr/local/nginx/conf/cert.pem;
         ssl_certificate_key /usr/local/nginx/conf/cert.key;
@@ -421,7 +421,7 @@ when the SSLv3 and TLS protocols are used.
     [<literal>TLSv1.1</literal>]
     [<literal>TLSv1.2</literal>]
     [<literal>TLSv1.3</literal>]</syntax>
-<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default>
+<default>TLSv1.2 TLSv1.3</default>
 <context>mail</context>
 <context>server</context>
 

xml/en/docs/stream/ngx_stream_proxy_module.xml

@@ -9,7 +9,7 @@
 <module name="Module ngx_stream_proxy_module"
         link="/en/docs/stream/ngx_stream_proxy_module.html"
         lang="en"
-        rev="32">
+        rev="33">
 
 <section id="summary">
 
@@ -568,7 +568,7 @@ Passphrases are tried in turn when loading the key.
     [<literal>TLSv1.1</literal>]
     [<literal>TLSv1.2</literal>]
     [<literal>TLSv1.3</literal>]</syntax>
-<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default>
+<default>TLSv1.2 TLSv1.3</default>
 <context>stream</context>
 <context>server</context>
 

xml/en/docs/stream/ngx_stream_ssl_module.xml

@@ -9,7 +9,7 @@
 <module name="Module ngx_stream_ssl_module"
         link="/en/docs/stream/ngx_stream_ssl_module.html"
         lang="en"
-        rev="36">
+        rev="37">
 
 <section id="summary">
 
@@ -62,7 +62,7 @@ stream {
     server {
         listen              12345 ssl;
 
-        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+        ssl_protocols       TLSv1.2 TLSv1.3;
         ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
         ssl_certificate     /usr/local/nginx/conf/cert.pem;
         ssl_certificate_key /usr/local/nginx/conf/cert.key;
@@ -556,7 +556,7 @@ when the SSLv3 and TLS protocols are used.
     [<literal>TLSv1.1</literal>]
     [<literal>TLSv1.2</literal>]
     [<literal>TLSv1.3</literal>]</syntax>
-<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default>
+<default>TLSv1.2 TLSv1.3</default>
 <context>stream</context>
 <context>server</context>
 

xml/en/docs/stream/ngx_stream_zone_sync_module.xml

@@ -9,7 +9,7 @@
 <module name="Module ngx_stream_zone_sync_module"
         link="/en/docs/stream/ngx_stream_zone_sync_module.html"
         lang="en"
-        rev="7">
+        rev="8">
 
 <section id="summary">
 
@@ -417,7 +417,7 @@ Passphrases are tried in turn when loading the key.
     [<literal>TLSv1.1</literal>]
     [<literal>TLSv1.2</literal>]
     [<literal>TLSv1.3</literal>]</syntax>
-<default>TLSv1 TLSv1.1 TLSv1.2</default>
+<default>TLSv1.2 TLSv1.3</default>
 <context>stream</context>
 <context>server</context>
 

xml/ru/docs/http/configuring_https_servers.xml

@@ -8,7 +8,7 @@
 <article name="Настройка HTTPS-серверов"
          link="/ru/docs/http/configuring_https_servers.html"
          lang="ru"
-         rev="14"
+         rev="15"
          author="Игорь Сысоев"
          editor="Brian Mercer">
 
@@ -30,7 +30,7 @@ server {
     server_name         www.example.com;
     ssl_certificate     <b>www.example.com.crt</b>;
     ssl_certificate_key <b>www.example.com.key</b>;
-    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+    ssl_protocols       TLSv1.2 TLSv1.3;
     ssl_ciphers         HIGH:!aNULL:!MD5;
     ...
 }
@@ -58,7 +58,7 @@ server {
 можно ограничить соединения
 использованием только “сильных” версий и шифров SSL/TLS.
 По умолчанию nginx использует
-“<literal>ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</literal>” и
+“<literal>ssl_protocols TLSv1.2 TLSv1.3</literal>” и
 “<literal>ssl_ciphers HIGH:!aNULL:!MD5</literal>”,
 поэтому их явная настройка в общем случае не требуется.
 Следует отметить, что значения по умолчанию этих директив несколько раз
@@ -108,7 +108,7 @@ http {
 
         ssl_certificate     www.example.com.crt;
         ssl_certificate_key www.example.com.key;
-        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+        ssl_protocols       TLSv1.2 TLSv1.3;
         ssl_ciphers         HIGH:!aNULL:!MD5;
         ...
 </programlisting>
@@ -444,6 +444,13 @@ SNI поддерживается начиная с версии 0.5.23.
 <para>
 <list type="bullet">
 
+<listitem>
+Версия 1.27.3 и более поздние: протоколами SSL по умолчанию являются
+TLSv1.2 и TLSv1.3 (если поддерживается библиотекой OpenSSL).
+В противном случае, при использовании OpenSSL 1.0.0 и более старых версий,
+протоколами SSL по умолчанию являются TLSv1 и TLSv1.1.
+</listitem>
+
 <listitem>
 Версия 1.23.4 и более поздние: протоколами SSL по умолчанию являются
 TLSv1, TLSv1.1, TLSv1.2 и TLSv1.3 (если поддерживается библиотекой OpenSSL).